Skip to main content

Documentation Index

Fetch the complete documentation index at: https://code.dcycle.io/llms.txt

Use this file to discover all available pages before exploring further.

Security & Compliance

Dcycle is designed for enterprise sustainability data management. This page covers how we protect your data, manage access, and handle security across the platform and API.

API Key Security

Creation, storage, rotation, and revocation

Data Protection

Encryption, residency, and GDPR compliance

Logging & Access

Audit trails, access control, and monitoring

API Key Lifecycle

API keys are the primary credential for programmatic access to Dcycle. For step-by-step instructions on creating and using API keys, see Authentication.
PhaseWhat Happens
CreationGenerated via Dcycle web UI, bound to the creating user
StorageStored in an encrypted PostgreSQL database (AWS RDS, AES-256)
ProtectionAll communication over TLS 1.2+ (HTTPS enforced)
RotationCreate a new key, migrate integrations, revoke the old one
RevocationImmediate via the UI — all requests with that key return 401
API keys are generated from the Dcycle web application under Settings > API Keys. Each key is bound to the user who created it — all data uploaded with that key is attributed to that user for audit and compliance purposes.Keys are displayed once at creation time and cannot be retrieved afterward. You can name keys descriptively (e.g., “Production ETL Pipeline”) to track their purpose.How to create an API key →
API keys are stored in an encrypted PostgreSQL database hosted on AWS RDS with encryption at rest enabled (AES-256). Only a key prefix is displayed in the management UI after initial creation.The database is deployed in a private VPC subnet with no public internet access. Access is restricted to application servers via security groups.
All API communication uses TLS 1.2+ (HTTPS enforced). HTTP requests are rejected at the load balancer level.API keys are transmitted in request headers (x-api-key) over encrypted connections. We recommend storing keys in environment variables or secret managers — never in source code or version control.Security best practices →
We recommend rotating API keys every 3-6 months. The rotation process requires no downtime:
  1. Generate a new API key
  2. Update your integrations to use the new key
  3. Verify the new key works correctly
  4. Revoke the old key
Multiple active keys can coexist per organization, enabling zero-downtime rotation.
API keys can be revoked immediately from the management UI (Settings > API Keys). Once revoked, all requests using that key return 401 Unauthorized instantly. This action cannot be undone.How to revoke an API key →

Data Protection

Encryption in Transit

TLS 1.2+ enforced on all endpoints. HTTP connections are rejected. All data between your systems and Dcycle is encrypted end-to-end.

Encryption at Rest

AES-256 encryption via AWS RDS for all database storage. S3 buckets use server-side encryption (SSE-S3/SSE-KMS) for uploaded files.

Data Residency

EU-hosted — all data is stored and processed in AWS eu-west-1 (Ireland). No data leaves the European Union.

GDPR Compliance

Dcycle acts as data processor under GDPR. Data processing agreements (DPAs) are available on request.
Automated daily backups with 7-day retention via AWS RDS automated snapshots. In case of accidental data deletion, contact contact@dcycle.io within 7 days with your organization ID and a description of the affected data.
Users can delete records at any time via the API or web application. Deleted records are removed from the primary database immediately. Backup copies are purged automatically after the 7-day retention window.
Dcycle runs on AWS (Amazon Web Services) with the following architecture:
  • Compute: ECS Fargate (containerized, serverless)
  • Database: RDS PostgreSQL (encrypted, private subnet)
  • Storage: S3 (server-side encryption)
  • Load balancing: Application Load Balancer with TLS termination
  • Network: VPC with private subnets, no direct internet access to databases
All infrastructure is managed with Infrastructure as Code (AWS CDK) for consistency and auditability.

Access Control

Dcycle uses organization-level access control with role-based permissions. Every API request is scoped to a single organization via the x-organization-id header.

Roles

RoleAccess LevelTypical Use
AdminFull access to all resources and settingsOrganization owners and managers
MemberCreate, read, update, and delete dataDay-to-day data management
ViewerRead-only accessAuditors, external reviewers

Organization Isolation

  • Users can only access organizations where they have an active membership
  • Each API request is scoped to a single organization — cross-organization data access is not possible without explicit membership
  • Parent organizations (holdings) can view aggregated data from subsidiaries when configured

Permission Model

Permissions are defined as resource:action pairs (e.g., facilities:create, vehicles:read). Available actions are: create, read, update, delete. Administrators can configure custom permission sets per role within their organization.

Logging & Auditability

What Is Logged

Every API request generates a structured log entry containing:
FieldDescription
TimestampWhen the request was received
Method & PathHTTP method and endpoint (e.g., POST /api/v1/logistics/requests)
Status CodeResponse HTTP status
Organization IDWhich organization the request targeted
Client IPSource IP address
Correlation IDUnique identifier for request tracing
Process TimeRequest processing duration

User Attribution

All data created via API is linked to the user who owns the API key. Every record includes:
  • created_by — the user who created the record
  • created_at — timestamp of creation
  • updated_at — timestamp of last modification
This ensures full traceability for compliance and audit purposes.

Request Tracing

Each API response includes tracing headers that can be provided to Dcycle support for incident investigation: 
X-Request-ID: unique-request-identifier
X-Correlation-ID: correlation-identifier
Save these headers when debugging integration issues. Include them when contacting support to speed up investigation.

Integration Patterns

The Dcycle API supports multiple integration approaches depending on your needs:
PatternDescriptionTypical Use Case
ManualAd-hoc API calls or web application useOne-time data uploads, exploration
ScheduledCron jobs, CI/CD pipelines, periodic scriptsMonthly reporting, data sync
AutomatedEvent-driven, real-time API integrationsERP integration, continuous data feeds

Network Requirements

The Dcycle API is a public HTTPS endpoint (api.dcycle.io). No VPN, dedicated IP, firewall allowlisting, or special network configuration is required. Any environment with outbound HTTPS access (port 443) can connect.

Rate Limits

Default rate limits apply to all API keys:
LimitValue
Per organization1,000 requests/minute
Per API key50 requests/second
Rate limit headers are included in every response:
  • X-RateLimit-Limit — maximum requests allowed
  • X-RateLimit-Remaining — requests remaining in the current window
  • X-RateLimit-Reset — time until the limit resets
Contact contact@dcycle.io if you need higher limits for your use case. For detailed integration examples, see Automation Overview and Reporting Pipelines.

Incident Response

Reporting Security Issues

Report security concerns to contact@dcycle.io. Include as much detail as possible: what you observed, when it happened, and any relevant request/correlation IDs.

Our Process

PhaseDescription
DetectionAutomated monitoring and alerting across all infrastructure components
TriageSecurity team assesses severity and impact
NotificationAffected customers notified within 72 hours per GDPR requirements
ResolutionRoot cause analysis and remediation applied
Post-incidentPost-incident report provided to affected customers on request
Dcycle continuously monitors infrastructure health, application performance, and security events using AWS CloudWatch, automated alerting, and log analysis.

Next Steps

Authentication

Set up API keys, CLI login, and MCP integration

API Reference

Explore all available endpoints

Support

Contact our team for questions